According to PANews, crypto investigator ZachXBT has revealed that over $16.58 million in payments have been directed to North Korean IT workers employed by various projects and companies since January 1, 2025. This amounts to an average of $2.76 million per month. Based on monthly salaries ranging from $3,000 to $8,000 per person, this suggests that between 345 and 920 positions may have been infiltrated.
ZachXBT monitored six clusters, identifying one where eight North Korean IT workers were employed across more than 12 projects. The payment addresses were traced to two main collection points. Open-source intelligence indicated that a member of this cluster, Sandy Nguyen (@bullishgopher), was photographed next to a North Korean flag while in Russia.
Despite the public availability of numerous indicators and research materials pointing to these infiltrations, some individuals dismiss the findings as conspiracy theories. Further communication with related teams uncovered additional suspicious activities within the cluster, such as refusal to meet in person despite claiming to be in the same city, mutual job recommendations, unusual IP addresses, username changes, account deletions, payments to the same address, and failure to pass KYC checks.